This is a digital security company reporting their findings, along with the fix. They did everything that could be expected of them. The real problem is how long RH took to address vulnerabilities. OSS isn't an excuse. There are other OSS projects with much less resources, that take security much more seriously. To make it worse, it isn't easy switch IdP software - even for OSS ones.